in operator/pkg/controllers/master/kubecontrollermanager.go [79:212]
func kcmPodSpecFor(controlPlane *v1alpha1.ControlPlane) v1.PodSpec {
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
return v1.PodSpec{
TerminationGracePeriodSeconds: aws.Int64(1),
HostNetwork: true,
DNSPolicy: v1.DNSClusterFirstWithHostNet,
PriorityClassName: "system-node-critical",
Tolerations: []v1.Toleration{{Operator: v1.TolerationOpExists}},
NodeSelector: nodeSelector(controlPlane.ClusterName()),
Containers: []v1.Container{{
Name: "controller-manager",
Image: imageprovider.KubeControllerManager(controlPlane.Spec.KubernetesVersion),
Command: []string{"kube-controller-manager"},
Resources: v1.ResourceRequirements{
Requests: map[v1.ResourceName]resource.Quantity{
v1.ResourceCPU: resource.MustParse("1"),
},
},
Args: []string{
"--authentication-kubeconfig=/etc/kubernetes/config/kcm/controller-manager.conf",
"--authorization-kubeconfig=/etc/kubernetes/config/kcm/controller-manager.conf",
"--bind-address=127.0.0.1",
"--client-ca-file=/etc/kubernetes/pki/ca/ca.crt",
"--cluster-signing-cert-file=/etc/kubernetes/pki/ca/ca.crt",
"--cluster-signing-key-file=/etc/kubernetes/pki/ca/ca.key",
"--controllers=*,-csrsigning",
"--kubeconfig=/etc/kubernetes/config/kcm/controller-manager.conf",
"--leader-elect=true",
"--port=0",
"--requestheader-client-ca-file=/etc/kubernetes/pki/proxy-ca/front-proxy-ca.crt",
"--root-ca-file=/etc/kubernetes/pki/ca/ca.crt",
"--service-account-private-key-file=/etc/kubernetes/pki/sa/sa.key",
"--use-service-account-credentials=true",
"--cloud-provider=aws",
"--cloud-config=/etc/kubernetes/cloud-config/aws.config",
},
VolumeMounts: []v1.VolumeMount{{
Name: "ca-certs",
MountPath: "/etc/ssl/certs",
ReadOnly: true,
}, {
Name: "client-ca-file",
MountPath: "/etc/kubernetes/pki/ca",
ReadOnly: true,
}, {
Name: "front-proxy-ca",
MountPath: "/etc/kubernetes/pki/proxy-ca",
ReadOnly: true,
}, {
Name: "service-account",
MountPath: "/etc/kubernetes/pki/sa",
ReadOnly: true,
}, {
Name: "kcm-config",
MountPath: "/etc/kubernetes/config/kcm",
ReadOnly: true,
}, {
Name: "cloud-config",
MountPath: "/etc/kubernetes/cloud-config",
ReadOnly: true,
}},
}},
Volumes: []v1.Volume{{
Name: "ca-certs",
VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
},
},
}, {
Name: "client-ca-file",
VolumeSource: v1.VolumeSource{
Secret: &v1.SecretVolumeSource{
SecretName: RootCASecretNameFor(controlPlane.ClusterName()),
DefaultMode: aws.Int32(0400),
Items: []v1.KeyToPath{{
Key: "public",
Path: "ca.crt",
}, {
Key: "private",
Path: "ca.key",
}},
},
},
}, {
Name: "front-proxy-ca",
VolumeSource: v1.VolumeSource{
Secret: &v1.SecretVolumeSource{
SecretName: FrontProxyCASecretNameFor(controlPlane.ClusterName()),
DefaultMode: aws.Int32(0400),
Items: []v1.KeyToPath{{
Key: "public",
Path: "front-proxy-ca.crt",
}},
},
},
}, {
Name: "service-account",
VolumeSource: v1.VolumeSource{
Secret: &v1.SecretVolumeSource{
SecretName: SAKeyPairSecretNameFor(controlPlane.ClusterName()),
DefaultMode: aws.Int32(0400),
Items: []v1.KeyToPath{{
Key: "public",
Path: "sa.pub",
}, {
Key: "private",
Path: "sa.key",
}},
},
},
}, {
Name: "kcm-config",
VolumeSource: v1.VolumeSource{
Secret: &v1.SecretVolumeSource{
SecretName: KubeControllerManagerSecretNameFor(controlPlane.ClusterName()),
DefaultMode: aws.Int32(0400),
Items: []v1.KeyToPath{{
Key: "config",
Path: "controller-manager.conf",
}},
},
},
}, {
Name: "cloud-config",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{Name: CloudConfigMapName(controlPlane.ClusterName())},
},
},
}},
}
}